Thursday, April 1, 2010

The Zeus Trojan was knocked off of malware's Mount Olympus this week when the upstream provider for six of the most notorious Zeus-hosting ISPs was taken down.

The shutdown of Kazakhstani provider Troyak-AS March 9 is credited with cutting the number of active Zeus command-and-control servers from 249 to 181, a number that has fallen and risen again in the past few days and now stands at 191 according to the most recent figures from Zeus Tracker. Just how long the drop-off will last remains to be seen. In fact, Troyak-AS has repeatedly obtained new upstream providers of its own every time it has been disconnected.

"After successful disconnection by Oversun Mercury and iHome, Troyak-AS obtained a new upstream provider through NAssist/YA," Mary Landesman, senior security researcher at Cisco's ScanSafe, told eWEEK. "That provider also disconnected their service, after which Troyak-AS moved to RTComm. Once again, they were disconnected by that provider. Currently, Troyak-AS has switched to NLine, but we anticipate they too will soon disconnect them."

The situation highlights a troubling pattern of security cat-and-mouse. When a particular rogue ISP is taken down, others step into its shoes, while the botnets improve the code for finding new hosts if the main command-and-control server is taken down.

The problem is exacerbated in the case of Zeus, which is not a single botnet but a collection of thousands of variants of a Trojan that can be customized by attackers. Just recently for example, NetWitness researchers uncovered a 75,000-strong botnet built with Zeus.

But that was just one of many, Landesman noted. Older versions of the Trojan can typically be found in the cyber-underground for free, with newer editions selling for between a few hundred and a few thousand dollars, according to research from F-Secure.

"In short, Zeus is a vast in-the-cloud distributed network supported by multiple bot herders and millions of infected PCs," she said. "The wide availability and ease of configuration supports multiple botnets, with space on individual segments of these botnets leased to various bidders. The success lies in this diversity and the autonomy that creates."

Arguably the most effective ISP takedown yet was the shutdown of McColo in 2008, which effectively killed the Srizbi botnet. Spam levels however did not stay down for long, and some suspect the owners of Srizbi may be operating other botnets, such as Rustock.

"Since the de-peering of McColo at the end of 2008, the malware technology behind botnets has improved significantly and as a result subsequent takedowns during 2009 were less effective," said Paul Wood, MessageLabs intelligence senior analyst for Symantec Hosted Services. "Botnets have become much harder to disrupt, often favoring HTTP as a C&C protocol with instructions in some cases now disguised as postings on social networking sites, blogs and microblogging sites."

There is good news, however. According to Sean Brady, product manager in the Identity Protection and Verification Group inside EMC's RSA security division, the transition of Zeus-infected PCs to alternate services has not been particularly smooth.

"It was observed by the evening [ET] of the 10th that systems leveraging [Troyak-AS], including the considerable volume of Zeus traffic, were beginning to route through alternate service providers [that] the fraudsters leverage as part of their efforts to keep their systems redundant," Brady told eWEEK. "Since the 10th, these efforts have been inconsistent and somewhat unstable, and by all appearances levels have not yet bounced back to levels witnessed prior to [Troyak-AS] going dark."

From a long-term perspective, taking on service providers should act as a deterrent, Landesman said.

"The continued takedowns not only disrupt the malicious hosts serviced by Troyak, it also disrupts their legitimate customers [and] the Zeus bot controllers on this segment are also facing financial losses and perhaps additional expenses as well," she said. "As costs of doing criminal business increase, the criminal business model becomes less profitable and hopefully less attractive."